SlideShare a Scribd company logo

Scada security

Download as PPTX, PDF
S
sommerville-videos

Discusses security vulnerabilities in SCADA systems

TechnologyBusiness
1 of 25
SCADA security, 2013 Slide 1 SCADA systems security
SCADA security, 2013 Slide 2 24/7 infrastructure availability • The infrastructure controlled by SCADA systems and PLCs often has to be continuously available and must operate as expected
SCADA security, 2013 Slide 3 Continuous operation • In some cases, it may be very disruptive to switch off PLC- controlled equipment as it is impossible to predict when the system will be required
SCADA security, 2013 Slide 4 Critical SCADA systems • Failure of controlled systems can lead to direct loss of life due to equipment failure or indirect losses due to failure of the critical infrastructure controlled by SCADA systems • SCADA must therefore be dependable – Safety and reliability – Security
SCADA security, 2013 Slide 5 SCADA safety and reliability • SCADA safety and reliability – Needs specific safety analysis techniques for PLCs because they are programmed in a different way (ladder logic) – SCADA systems are designed with redundancy and backup, which contributes to the availability of these systems
SCADA security, 2013 Slide 6 SCADA security
SCADA security, 2013 Slide 7 SCADA legacy systems • Security through isolation – SCADA systems, historically, were unconcerned with security because they were isolated systems • Security through obscurity – Non-standard programming languages and protocols used.
SCADA security, 2013 Slide 8 Security through isolation • If a system is not connected to the Internet, then it cannot be penetrated by attacks from the Internet • This is the so-called ‘air gap’ between the SCADA system and the rest of the world
SCADA security, 2013 Slide 9 Maroochy Water Breach • The Maroochy Water Breach (see video) was a cyberattack on a sewage treatment system in Australia carried out by an insider
SCADA security, 2013 Slide 10 Security through obscurity • Approach to security that is based on the fact that information about a system is not widely known or available so the assumption is that few people can successfully attack the system from outside
SCADA security, 2013 Slide 11 Security through obscurity • Susceptible to insider attack from those who know the information inside the organization • SCADA systems are sold globally – therefore information is available to other countries who may be potentially hostile • Information on SCADA systems can be stolen and used by attackers
SCADA security, 2013 Slide 12 SCADA connectivity • 3rd generation SCADA systems are now reliant on standard IT technologies and protocols (Microsoft Windows, TCP/IP, web browsers, organisational wireless networks, etc.) • Integrated with older SCADA systems
SCADA security, 2013 Slide 13 Internet-based SCADA
SCADA security, 2013 Slide 14 SCADA legacy systems • There are a huge number of 2nd generation SCADA systems that are still in use and are likely to remain in use for many years – Infrastructure systems can have a 20+ year lifetime • However, these are now being ‘updated’ with new equipment which is network-connected • These older legacy systems were developed without security awareness and so are particularly vulnerable to attack
SCADA security, 2013 Slide 15 The myth of the ‘air gap’ • Direct connections to vendors for maintenance, stock ordering etc. • Connected to enterprise systems, which in turn are on the Internet.
SCADA security, 2013 Slide 16 The myth of the air gap • PCs used by operators may be multi- functional and internet connected • Operators transfer information using USB drives
SCADA security, 2013 Slide 17 SCADA vulnerabilities
SCADA security, 2013 Slide 18 SCADA security vulnerabilities • Weak passwords • Open to port scanning to discover SCADA systems on network • Lack of input validation –buffer overflow and SQL poisoning • Unencrypted network traffic
SCADA security, 2013 Slide 19 SCADA security challenges • SCADA systems and PLC software is normally developed by engineering companies with very limited experience of developing secure systems • The system developers are usually domain experts (oil and gas engineers, power engineers, etc.) rather than software engineers. • They may have had no training in security techniques.
SCADA security, 2013 Slide 20 SCADA security challenges • Not always possible to use standard security tools and techniques: – It may not be possible to install anti-virus protection on process control systems, owing to the lack of processor power on legacy systems, the age of operating systems or the lack of vendor certification.
SCADA security, 2013 Slide 21 SCADA security challenges • Security testing on process control systems must also be approached with extreme caution – security scanning can seriously affect the operation of many control devices. • There are sometimes few opportunities to take the systems off-line for routine testing, patching and maintenance.
SCADA security, 2013 Slide 22 Improving SCADA security • Government and industry reports to raise awareness of SCADA security issues • Establishment of bodies specifically concerned with infrastructure protection who can advise on SCADA system security
SCADA security, 2013 Slide 23 Improving SCADA security • Better security education and training for SCADA developers • Need for regulators to become involved – security certification
SCADA security, 2013 Slide 24 © David Shankbone 2012
SCADA security, 2013 Slide 25 Summary • Government organisations are seriously concerned about the vulnerability of SCADA systems to cyberattacks and the consequences for our national infrastructure • SCADA systems connected to internet so vulnerable to external attack • SCADA systems are often old systems that were built without security concerns – therefore are vulnerable to external attack

Recommended

SCADA Security Presentation
SCADA Security PresentationSCADA Security Presentation
SCADA Security Presentation
Filip Maertens
 
Introduction to ICS/SCADA security
Introduction to ICS/SCADA securityIntroduction to ICS/SCADA security
Introduction to ICS/SCADA security
Cysinfo Cyber Security Community
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Security
amiable_indian
 
Securing SCADA
Securing SCADA Securing SCADA
Securing SCADA
Jeffrey Wang , P.Eng
 
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)
Joan Figueras Tugas
 
Introduction to Cyber Resilience
Introduction to Cyber ResilienceIntroduction to Cyber Resilience
Introduction to Cyber Resilience
Peter Wood
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
Jiunn-Jer Sun
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443
Yokogawa1
 

Recommended

SCADA Security Presentation
SCADA Security PresentationSCADA Security Presentation
SCADA Security Presentation
Filip Maertens
 
Introduction to ICS/SCADA security
Introduction to ICS/SCADA securityIntroduction to ICS/SCADA security
Introduction to ICS/SCADA security
Cysinfo Cyber Security Community
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Security
amiable_indian
 
Securing SCADA
Securing SCADA Securing SCADA
Securing SCADA
Jeffrey Wang , P.Eng
 
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)
Joan Figueras Tugas
 
Introduction to Cyber Resilience
Introduction to Cyber ResilienceIntroduction to Cyber Resilience
Introduction to Cyber Resilience
Peter Wood
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
Jiunn-Jer Sun
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443
Yokogawa1
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
OWASP Delhi
 
Industrial Security.pdf
Industrial Security.pdfIndustrial Security.pdf
Industrial Security.pdf
AhmedRKhan
 
ICS security
ICS securityICS security
ICS security
Ahmed Shitta
 
Security Architecture for Cyber Physical Systems
Security Architecture for Cyber Physical SystemsSecurity Architecture for Cyber Physical Systems
Security Architecture for Cyber Physical Systems
Alan Tatourian
 
SCADA Presentation
SCADA PresentationSCADA Presentation
SCADA Presentation
Eric Favetta
 
Presentaton on Plc & Scada
Presentaton on Plc & ScadaPresentaton on Plc & Scada
Presentaton on Plc & Scada
Nokia Technology
 
Introducing scada
Introducing scadaIntroducing scada
Introducing scada
sommerville-videos
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
Larry Vandenaweele
 
Automating security hardening
Automating security hardeningAutomating security hardening
Automating security hardening
Ugljesa Novak, CISSP
 
Cybersecurity for Smart Grids: Vulnerabilities and Strategies to Provide Cybe...
Cybersecurity for Smart Grids: Vulnerabilities and Strategies to Provide Cybe...Cybersecurity for Smart Grids: Vulnerabilities and Strategies to Provide Cybe...
Cybersecurity for Smart Grids: Vulnerabilities and Strategies to Provide Cybe...
Leonardo ENERGY
 
TI Safe ICS Cybersecurity Training
TI Safe ICS Cybersecurity TrainingTI Safe ICS Cybersecurity Training
TI Safe ICS Cybersecurity Training
TI Safe
 
Scada system architecture, types and applications
Scada system architecture, types and applicationsScada system architecture, types and applications
Scada system architecture, types and applications
Uchi Pou
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat Landscapefinal
Mahmoud Yassin
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metrics
Vladimir Jirasek
 
ISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How To
Jim Gilsinn
 
Understanding cyber resilience
Understanding cyber resilienceUnderstanding cyber resilience
Understanding cyber resilience
Christophe Foulon, CISSP
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
PECB
 
NIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartNIST SP 800 30 Flow Chart
NIST SP 800 30 Flow Chart
James W. De Rienzo
 
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyWhat We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
Priyanka Aash
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS Environments
Shah Sheikh
 
LIBRARY RESEARCH PROJECT SECURITY CONTROL IN SCADA
LIBRARY RESEARCH PROJECT SECURITY CONTROL IN SCADALIBRARY RESEARCH PROJECT SECURITY CONTROL IN SCADA
LIBRARY RESEARCH PROJECT SECURITY CONTROL IN SCADA
SonuSingh81247
 
LIBRARY RESEARCH PROJECT cyber security control inSCAD.ppt
LIBRARY RESEARCH PROJECT cyber security control inSCAD.pptLIBRARY RESEARCH PROJECT cyber security control inSCAD.ppt
LIBRARY RESEARCH PROJECT cyber security control inSCAD.ppt
SonuSingh81247
 

More Related Content

What's hot

SCADA Presentation
SCADA PresentationSCADA Presentation
SCADA Presentation
Eric Favetta
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
Larry Vandenaweele
 
Cybersecurity for Smart Grids: Vulnerabilities and Strategies to Provide Cybe...
Cybersecurity for Smart Grids: Vulnerabilities and Strategies to Provide Cybe...Cybersecurity for Smart Grids: Vulnerabilities and Strategies to Provide Cybe...
Cybersecurity for Smart Grids: Vulnerabilities and Strategies to Provide Cybe...
Leonardo ENERGY
 
Scada system architecture, types and applications
Scada system architecture, types and applicationsScada system architecture, types and applications
Scada system architecture, types and applications
Uchi Pou
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
PECB
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS Environments
Shah Sheikh
 

What's hot (20)

ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
 
Industrial Security.pdf
Industrial Security.pdfIndustrial Security.pdf
Industrial Security.pdf
 
ICS security
ICS securityICS security
ICS security
 
Security Architecture for Cyber Physical Systems
Security Architecture for Cyber Physical SystemsSecurity Architecture for Cyber Physical Systems
Security Architecture for Cyber Physical Systems
 
SCADA Presentation
SCADA PresentationSCADA Presentation
SCADA Presentation
 
Presentaton on Plc & Scada
Presentaton on Plc & ScadaPresentaton on Plc & Scada
Presentaton on Plc & Scada
 
Introducing scada
Introducing scadaIntroducing scada
Introducing scada
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
 
Automating security hardening
Automating security hardeningAutomating security hardening
Automating security hardening
 
Cybersecurity for Smart Grids: Vulnerabilities and Strategies to Provide Cybe...
Cybersecurity for Smart Grids: Vulnerabilities and Strategies to Provide Cybe...Cybersecurity for Smart Grids: Vulnerabilities and Strategies to Provide Cybe...
Cybersecurity for Smart Grids: Vulnerabilities and Strategies to Provide Cybe...
 
TI Safe ICS Cybersecurity Training
TI Safe ICS Cybersecurity TrainingTI Safe ICS Cybersecurity Training
TI Safe ICS Cybersecurity Training
 
Scada system architecture, types and applications
Scada system architecture, types and applicationsScada system architecture, types and applications
Scada system architecture, types and applications
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat Landscapefinal
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metrics
 
ISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How To
 
Understanding cyber resilience
Understanding cyber resilienceUnderstanding cyber resilience
Understanding cyber resilience
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 
NIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartNIST SP 800 30 Flow Chart
NIST SP 800 30 Flow Chart
 
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyWhat We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS Environments
 

Similar to Scada security

LIBRARY RESEARCH PROJECT SECURITY CONTROL IN SCADA
LIBRARY RESEARCH PROJECT SECURITY CONTROL IN SCADALIBRARY RESEARCH PROJECT SECURITY CONTROL IN SCADA
LIBRARY RESEARCH PROJECT SECURITY CONTROL IN SCADA
SonuSingh81247
 
LIBRARY RESEARCH PROJECT cyber security control inSCAD.ppt
LIBRARY RESEARCH PROJECT cyber security control inSCAD.pptLIBRARY RESEARCH PROJECT cyber security control inSCAD.ppt
LIBRARY RESEARCH PROJECT cyber security control inSCAD.ppt
SonuSingh81247
 
SCADA Security Training
SCADA Security TrainingSCADA Security Training
SCADA Security Training
Bryan Len
 
SCADA Exposure Will Short-Circuit US Utilities
SCADA Exposure Will Short-Circuit US UtilitiesSCADA Exposure Will Short-Circuit US Utilities
SCADA Exposure Will Short-Circuit US Utilities
FitCEO, Inc. (FCI)
 
Defending Applications In the Cloud: Architecting Layered Security Solutions ...
Defending Applications In the Cloud: Architecting Layered Security Solutions ...Defending Applications In the Cloud: Architecting Layered Security Solutions ...
Defending Applications In the Cloud: Architecting Layered Security Solutions ...
EC-Council
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
Patricia M Watson
 
PT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrolPT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrol
Shah Sheikh
 

Similar to Scada security (20)

LIBRARY RESEARCH PROJECT SECURITY CONTROL IN SCADA
LIBRARY RESEARCH PROJECT SECURITY CONTROL IN SCADALIBRARY RESEARCH PROJECT SECURITY CONTROL IN SCADA
LIBRARY RESEARCH PROJECT SECURITY CONTROL IN SCADA
 
LIBRARY RESEARCH PROJECT cyber security control inSCAD.ppt
LIBRARY RESEARCH PROJECT cyber security control inSCAD.pptLIBRARY RESEARCH PROJECT cyber security control inSCAD.ppt
LIBRARY RESEARCH PROJECT cyber security control inSCAD.ppt
 
SCADA Security Training
SCADA Security TrainingSCADA Security Training
SCADA Security Training
 
CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...
CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...
CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...
 
SCADA Systems and its security!
SCADA Systems and its security!SCADA Systems and its security!
SCADA Systems and its security!
 
Why SIL3 (ENG)
Why SIL3 (ENG)Why SIL3 (ENG)
Why SIL3 (ENG)
 
SCADA Exposure Will Short-Circuit US Utilities
SCADA Exposure Will Short-Circuit US UtilitiesSCADA Exposure Will Short-Circuit US Utilities
SCADA Exposure Will Short-Circuit US Utilities
 
Defending Applications In the Cloud: Architecting Layered Security Solutions ...
Defending Applications In the Cloud: Architecting Layered Security Solutions ...Defending Applications In the Cloud: Architecting Layered Security Solutions ...
Defending Applications In the Cloud: Architecting Layered Security Solutions ...
 
Scada Basic Training
Scada Basic TrainingScada Basic Training
Scada Basic Training
 
Session 17 - SCADA Introduction
Session 17 - SCADA IntroductionSession 17 - SCADA Introduction
Session 17 - SCADA Introduction
 
SCADA Introduction
SCADA IntroductionSCADA Introduction
SCADA Introduction
 
Training manual on scada
Training manual on scadaTraining manual on scada
Training manual on scada
 
Scada Security & Penetration Testing
Scada Security & Penetration TestingScada Security & Penetration Testing
Scada Security & Penetration Testing
 
Cybersecurity 3 cybersecurity costs and causes
Cybersecurity 3 cybersecurity costs and causesCybersecurity 3 cybersecurity costs and causes
Cybersecurity 3 cybersecurity costs and causes
 
chapitre1-cloud security basics-23 (1).pptx
chapitre1-cloud security basics-23 (1).pptxchapitre1-cloud security basics-23 (1).pptx
chapitre1-cloud security basics-23 (1).pptx
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
 
Design Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security GuidelinesDesign Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security Guidelines
 
PT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrolPT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrol
 
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the RiskOpen and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
 
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the RiskOpen and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
 

More from sommerville-videos

System of systems classification
System of systems classificationSystem of systems classification
System of systems classification
sommerville-videos
 

More from sommerville-videos (20)

Architectural patterns for real-time systems
Architectural patterns for real-time systemsArchitectural patterns for real-time systems
Architectural patterns for real-time systems
 
Introduction to real time software systems script
Introduction to real time software systems scriptIntroduction to real time software systems script
Introduction to real time software systems script
 
System of systems classification
System of systems classificationSystem of systems classification
System of systems classification
 
Reuse landscape
Reuse landscapeReuse landscape
Reuse landscape
 
Introduction to systems of systems
Introduction to systems of systemsIntroduction to systems of systems
Introduction to systems of systems
 
Scaling agile
Scaling agileScaling agile
Scaling agile
 
Agile methods for large systems
Agile methods for large systemsAgile methods for large systems
Agile methods for large systems
 
User stories
User storiesUser stories
User stories
 
Agile and plan based development processes
Agile and plan based development processesAgile and plan based development processes
Agile and plan based development processes
 
Fundamental software engineering activities
Fundamental software engineering activitiesFundamental software engineering activities
Fundamental software engineering activities
 
Introducing Software Engineering
Introducing Software EngineeringIntroducing Software Engineering
Introducing Software Engineering
 
Why se script
Why se scriptWhy se script
Why se script
 
Ariane 5 launcher failure
Ariane 5 launcher failure Ariane 5 launcher failure
Ariane 5 launcher failure
 
Airbus Flight Control System
Airbus Flight Control SystemAirbus Flight Control System
Airbus Flight Control System
 
Warsaw airbus accident
Warsaw airbus accidentWarsaw airbus accident
Warsaw airbus accident
 
Stakeholders, viewpoints and concerns
Stakeholders, viewpoints and concernsStakeholders, viewpoints and concerns
Stakeholders, viewpoints and concerns
 
Requirements engineering processes
Requirements engineering processesRequirements engineering processes
Requirements engineering processes
 
Requirements engineering challenges
Requirements engineering challengesRequirements engineering challenges
Requirements engineering challenges
 
Intro to requirements eng.
Intro to requirements eng.Intro to requirements eng.
Intro to requirements eng.
 
Emergent properties
Emergent propertiesEmergent properties
Emergent properties
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 

Recently uploaded (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

Scada security

  • 1. SCADA security, 2013 Slide 1 SCADA systems security
  • 2. SCADA security, 2013 Slide 2 24/7 infrastructure availability • The infrastructure controlled by SCADA systems and PLCs often has to be continuously available and must operate as expected
  • 3. SCADA security, 2013 Slide 3 Continuous operation • In some cases, it may be very disruptive to switch off PLC- controlled equipment as it is impossible to predict when the system will be required
  • 4. SCADA security, 2013 Slide 4 Critical SCADA systems • Failure of controlled systems can lead to direct loss of life due to equipment failure or indirect losses due to failure of the critical infrastructure controlled by SCADA systems • SCADA must therefore be dependable – Safety and reliability – Security
  • 5. SCADA security, 2013 Slide 5 SCADA safety and reliability • SCADA safety and reliability – Needs specific safety analysis techniques for PLCs because they are programmed in a different way (ladder logic) – SCADA systems are designed with redundancy and backup, which contributes to the availability of these systems
  • 6. SCADA security, 2013 Slide 6 SCADA security
  • 7. SCADA security, 2013 Slide 7 SCADA legacy systems • Security through isolation – SCADA systems, historically, were unconcerned with security because they were isolated systems • Security through obscurity – Non-standard programming languages and protocols used.
  • 8. SCADA security, 2013 Slide 8 Security through isolation • If a system is not connected to the Internet, then it cannot be penetrated by attacks from the Internet • This is the so-called ‘air gap’ between the SCADA system and the rest of the world
  • 9. SCADA security, 2013 Slide 9 Maroochy Water Breach • The Maroochy Water Breach (see video) was a cyberattack on a sewage treatment system in Australia carried out by an insider
  • 10. SCADA security, 2013 Slide 10 Security through obscurity • Approach to security that is based on the fact that information about a system is not widely known or available so the assumption is that few people can successfully attack the system from outside
  • 11. SCADA security, 2013 Slide 11 Security through obscurity • Susceptible to insider attack from those who know the information inside the organization • SCADA systems are sold globally – therefore information is available to other countries who may be potentially hostile • Information on SCADA systems can be stolen and used by attackers
  • 12. SCADA security, 2013 Slide 12 SCADA connectivity • 3rd generation SCADA systems are now reliant on standard IT technologies and protocols (Microsoft Windows, TCP/IP, web browsers, organisational wireless networks, etc.) • Integrated with older SCADA systems
  • 13. SCADA security, 2013 Slide 13 Internet-based SCADA
  • 14. SCADA security, 2013 Slide 14 SCADA legacy systems • There are a huge number of 2nd generation SCADA systems that are still in use and are likely to remain in use for many years – Infrastructure systems can have a 20+ year lifetime • However, these are now being ‘updated’ with new equipment which is network-connected • These older legacy systems were developed without security awareness and so are particularly vulnerable to attack
  • 15. SCADA security, 2013 Slide 15 The myth of the ‘air gap’ • Direct connections to vendors for maintenance, stock ordering etc. • Connected to enterprise systems, which in turn are on the Internet.
  • 16. SCADA security, 2013 Slide 16 The myth of the air gap • PCs used by operators may be multi- functional and internet connected • Operators transfer information using USB drives
  • 17. SCADA security, 2013 Slide 17 SCADA vulnerabilities
  • 18. SCADA security, 2013 Slide 18 SCADA security vulnerabilities • Weak passwords • Open to port scanning to discover SCADA systems on network • Lack of input validation –buffer overflow and SQL poisoning • Unencrypted network traffic
  • 19. SCADA security, 2013 Slide 19 SCADA security challenges • SCADA systems and PLC software is normally developed by engineering companies with very limited experience of developing secure systems • The system developers are usually domain experts (oil and gas engineers, power engineers, etc.) rather than software engineers. • They may have had no training in security techniques.
  • 20. SCADA security, 2013 Slide 20 SCADA security challenges • Not always possible to use standard security tools and techniques: – It may not be possible to install anti-virus protection on process control systems, owing to the lack of processor power on legacy systems, the age of operating systems or the lack of vendor certification.
  • 21. SCADA security, 2013 Slide 21 SCADA security challenges • Security testing on process control systems must also be approached with extreme caution – security scanning can seriously affect the operation of many control devices. • There are sometimes few opportunities to take the systems off-line for routine testing, patching and maintenance.
  • 22. SCADA security, 2013 Slide 22 Improving SCADA security • Government and industry reports to raise awareness of SCADA security issues • Establishment of bodies specifically concerned with infrastructure protection who can advise on SCADA system security
  • 23. SCADA security, 2013 Slide 23 Improving SCADA security • Better security education and training for SCADA developers • Need for regulators to become involved – security certification
  • 24. SCADA security, 2013 Slide 24 © David Shankbone 2012
  • 25. SCADA security, 2013 Slide 25 Summary • Government organisations are seriously concerned about the vulnerability of SCADA systems to cyberattacks and the consequences for our national infrastructure • SCADA systems connected to internet so vulnerable to external attack • SCADA systems are often old systems that were built without security concerns – therefore are vulnerable to external attack